Add doc on how to use Istio Authorization with Knative and Istio mesh mode

[nak3]

Proposed Changes

This patch adds doc on how to use Istio Authorization with Knative.

As described in #2569, the sample configuration of Authorizationpolicy is helpful for our users.

Part of #2569

[abrennan89]

@nak3 some comments 🙂 a few things could maybe do with some additional explanation. This is good information though!
cc @mpetason

[abrennan89]

It's not clear to me from this title

1. What "strict authorization policy" is and why someone would need it for a Knative app?
2. Whether this section is conceptual information or contains steps to complete a task?

I'd try to make this clearer. Maybe something like:
"Enabling requests to Knative services when additional authorization policies are enabled"

[abrennan89]

I'm also wondering whether this belongs in a more Istio specific place, @mattmoor wdyt?

[nak3]

1. What "strict authorization policy" is and why someone would need it for a Knative app?

"strict authorization policy" is an Istio's feature. It can control access to allow/deny, which Knative does not have. So someone would like to use it.

Whether this section is conceptual information or contains steps to complete a task?

It is a "contains steps to complete a task"?

I'm also wondering whether this belongs in a more Istio specific place

Yes, we definitely should belong in an Istio specific place. But I think I should open a new request to create the new hierarchy of the doc like:
https://knative.dev/docs/serving/istio/some-new-feature (istio)
https://knative.dev/docs/serving/kourier/some-new-feature (kourier)

[abrennan89]

This should be a prerequisite instead, and I think this whole doc should be somewhere specific to Istio.
@evankanderson @mattmoor I think we should probably have some sort of "Post-installation tasks" section that includes things like this but I'm not sure, wdyt?

[abrennan89]

Explain what these commands actually do. It looks like it's creating a namepace and labelling it for istio-injection, but it's not clear what this accomplishes. Is this how a user enables access to Knative services as mentioned earlier?

[Shashankft9]

Hey @nak3, I am also working on this right now, testing Istio Authorization Policies with knative-serving.
I noticed that when I install istio with sidecar using this doc: https://knative.dev/v0.14-docs/install/installing-istio/ , I further had to edit the configmap in namespace istio-system as (by default it was disabled and hence the sidecars were not being injected to the pods upon labeling the namespace):

...
data:
  config: |-
    policy: enabled
...

so maybe the flags in the helm template are wrong or this is an additional step, I haven't tested with the way istio is installed here: https://knative.dev/docs/install/installing-istio/?

[nak3]

Hi @Shashankft9 Yes, it was discussed in #2073 whether it should be fixed or not. (Although it was not fixed on Istio 1.4, Istio 1.5+ can inject the sidecar with namespace label.)

[Shashankft9]

ahh I see, mine is v1.4.6, that explains. So I should Instead follow the installation steps from here: https://knative.dev/docs/install/installing-istio/#installing-istio-with-sidecar-injection? Will it conflict with my knative-serving v0.14.0 because I dont see any crd kind: IstioOperator right now.

[nak3]

Yes, the new Istio installation needs istioctl
command v1.5+ and it is totally different from helm's installation.

[abrennan89]

This looks good, thanks Kenjiro! 🙂
/lgtm

[abrennan89]

/hold

[abrennan89]

@nak3 do we need any other reviews from technical / eng folks here or is this OK to merge? I've put it on hold for now but it looks fine to me.

[nak3]

Thank you @abrennan89
Yes, I think we should get the lgtm from one more folks.

/cc @tcnghia @josueetcom @ZhiminXiang @itsmurugappan
Would you mind taking a look?

[Shashankft9]

maybe add what Using net-istio for your Knative Ingress signifies and what to do in order to make sure its being used - in the Before you begin section?

[itsmurugappan]

Its worth mentioning that, If you use principal and namespace in the policies, Mutual TLS need to be enabled. If you are using jwt claims, mtls is not a prereq.

[nak3]

Yes, we should. I updated the doc with the link to Istio doc.

[itsmurugappan]

overall looks good. Just a few nits from my side.

[josueetcom]

Is this a doc for specifically the case when additional authorization policies are enabled or is it a general doc for using Istio authorization with Knative and Istio mesh mode (per the PR title)?

[nak3]

Yes, It is a general doc for using Istio authorization with Knative and Istio mesh mode.

[josueetcom]

Hmm, maybe I'm lacking context but when I read the title it does immediately suggest this is specifically for Istio (do other networking layers have authorization policies?).

[josueetcom]

Just some minor nits, otherwise LGTM

[josueetcom]

Hmm, maybe I'm lacking context but when I read the title it does immediately suggest this is specifically for Istio (do other networking layers have authorization policies?).

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abrennan89, josueetcom, nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abrennan89]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nak3]

Thank you so much for the reviews!

Just one note, In addition to reflecting the review comments, I removed the "allowing list by namespace" example by e725e97. Because it allows all traffic via activator and it is very confusable and easy to create a security hall.
I already got the two feedback in #1130.

[nak3]

/unhold

[nak3]

@abrennan89 This is ready to merge, I think. Could you please add /lgtm again?

[abrennan89]

/lgtm
Thanks, Kenjiro! 🙂